@aztec/blob-lib 0.0.0-test.0 → 0.0.1-fake-c83136db25

package/dest/blob_batching.d.ts

@@ -0,0 +1,155 @@
+import { BLS12Fr, BLS12Point, Fr } from '@aztec/foundation/fields';
+import { Blob } from './blob.js';
+import { BlobAccumulator, FinalBlobAccumulator, FinalBlobBatchingChallenges } from './circuit_types/index.js';
+/**
+ * A class to create, manage, and prove batched EVM blobs.
+ */
+export declare class BatchedBlob {
+    /** Hash of Cs (to link to L1 blob hashes). */
+    readonly blobCommitmentsHash: Fr;
+    /** Challenge point z such that p_i(z) = y_i. */
+    readonly z: Fr;
+    /** Evaluation y, linear combination of all evaluations y_i = p_i(z) with gamma. */
+    readonly y: BLS12Fr;
+    /** Commitment C, linear combination of all commitments C_i = [p_i] with gamma. */
+    readonly commitment: BLS12Point;
+    /** KZG opening 'proof' Q (commitment to the quotient poly.), linear combination of all blob kzg 'proofs' Q_i with gamma. */
+    readonly q: BLS12Point;
+    constructor(
+    /** Hash of Cs (to link to L1 blob hashes). */
+    blobCommitmentsHash: Fr, 
+    /** Challenge point z such that p_i(z) = y_i. */
+    z: Fr, 
+    /** Evaluation y, linear combination of all evaluations y_i = p_i(z) with gamma. */
+    y: BLS12Fr, 
+    /** Commitment C, linear combination of all commitments C_i = [p_i] with gamma. */
+    commitment: BLS12Point, 
+    /** KZG opening 'proof' Q (commitment to the quotient poly.), linear combination of all blob kzg 'proofs' Q_i with gamma. */
+    q: BLS12Point);
+    /**
+     * Get the final batched opening proof from multiple blobs.
+     * @dev MUST input all blobs to be broadcast. Does not work in multiple calls because z and gamma are calculated
+     *      beforehand from ALL blobs.
+     *
+     * @returns A batched blob.
+     */
+    static batch(blobs: Blob[][]): Promise<BatchedBlob>;
+    /**
+     * Returns an empty BatchedBlobAccumulator with precomputed challenges from all blobs in the epoch.
+     * @dev MUST input all blobs to be broadcast. Does not work in multiple calls because z and gamma are calculated
+     *      beforehand from ALL blobs.
+     */
+    static newAccumulator(blobs: Blob[][]): Promise<BatchedBlobAccumulator>;
+    /**
+     * Gets the final challenges based on all blobs and their elements to perform a multi opening proof.
+     * Used in BatchedBlobAccumulator as 'finalZ' and finalGamma':
+     *  - z = H(...H(H(z_0, z_1) z_2)..z_n)
+     *    - where z_i = H(H(fields of blob_i), C_i) = Blob.challengeZ,
+     *    - used such that p_i(z) = y_i = Blob.evaluationY for all n blob polynomials p_i().
+     *  - gamma = H(H(...H(H(y_0, y_1) y_2)..y_n), z)
+     *    - used such that y = sum_i { gamma^i * y_i }, and C = sum_i { gamma^i * C_i }, for all blob evaluations y_i (see above) and commitments C_i.
+     *
+     * @param blobs - The blobs to precompute the challenges for. Each sub-array is the blobs for an L1 block.
+     * @returns Challenges z and gamma.
+     */
+    static precomputeBatchedBlobChallenges(blobs: Blob[][]): Promise<FinalBlobBatchingChallenges>;
+    verify(): boolean;
+    getEthVersionedBlobHash(): Buffer;
+    /**
+     * Returns a proof of opening of the blobs to verify on L1 using the point evaluation precompile:
+     *
+     * input[:32]     - versioned_hash
+     * input[32:64]   - z
+     * input[64:96]   - y
+     * input[96:144]  - commitment C
+     * input[144:192] - commitment Q (a 'proof' committing to the quotient polynomial q(X))
+     *
+     * See https://eips.ethereum.org/EIPS/eip-4844#point-evaluation-precompile
+     */
+    getEthBlobEvaluationInputs(): `0x${string}`;
+    toFinalBlobAccumulator(): FinalBlobAccumulator;
+}
+/**
+ * See noir-projects/noir-protocol-circuits/crates/blob/src/abis/blob_accumulator.nr
+ */
+export declare class BatchedBlobAccumulator {
+    /** Hash of Cs (to link to L1 blob hashes). */
+    readonly blobCommitmentsHashAcc: Fr;
+    /** Challenge point z_acc. Final value used such that p_i(z) = y_i. */
+    readonly zAcc: Fr;
+    /** Evaluation y_acc. Final value is is linear combination of all evaluations y_i = p_i(z) with gamma. */
+    readonly yAcc: BLS12Fr;
+    /** Commitment c_acc. Final value is linear combination of all commitments C_i = [p_i] with gamma. */
+    readonly cAcc: BLS12Point;
+    /** KZG opening q_acc. Final value is linear combination of all blob kzg 'proofs' Q_i with gamma. */
+    readonly qAcc: BLS12Point;
+    /**
+     * Challenge point gamma_acc for multi opening. Used with y, C, and kzg 'proof' Q above.
+     * TODO(#13608): We calculate this by hashing natively in the circuit (hence Fr representation), but it's actually used
+     * as a BLS12Fr field elt. Is this safe? Is there a skew?
+     */
+    readonly gammaAcc: Fr;
+    /** Simply gamma^(i + 1) at blob i. Used for calculating the i'th element of the above linear comb.s */
+    readonly gammaPow: BLS12Fr;
+    /** Final challenge values used in evaluation. Optimistically input and checked in the final acc. */
+    readonly finalBlobChallenges: FinalBlobBatchingChallenges;
+    constructor(
+    /** Hash of Cs (to link to L1 blob hashes). */
+    blobCommitmentsHashAcc: Fr, 
+    /** Challenge point z_acc. Final value used such that p_i(z) = y_i. */
+    zAcc: Fr, 
+    /** Evaluation y_acc. Final value is is linear combination of all evaluations y_i = p_i(z) with gamma. */
+    yAcc: BLS12Fr, 
+    /** Commitment c_acc. Final value is linear combination of all commitments C_i = [p_i] with gamma. */
+    cAcc: BLS12Point, 
+    /** KZG opening q_acc. Final value is linear combination of all blob kzg 'proofs' Q_i with gamma. */
+    qAcc: BLS12Point, 
+    /**
+     * Challenge point gamma_acc for multi opening. Used with y, C, and kzg 'proof' Q above.
+     * TODO(#13608): We calculate this by hashing natively in the circuit (hence Fr representation), but it's actually used
+     * as a BLS12Fr field elt. Is this safe? Is there a skew?
+     */
+    gammaAcc: Fr, 
+    /** Simply gamma^(i + 1) at blob i. Used for calculating the i'th element of the above linear comb.s */
+    gammaPow: BLS12Fr, 
+    /** Final challenge values used in evaluation. Optimistically input and checked in the final acc. */
+    finalBlobChallenges: FinalBlobBatchingChallenges);
+    /**
+     * Create the empty accumulation state of the epoch.
+     * @returns An empty blob accumulator with challenges.
+     */
+    static newWithChallenges(finalBlobChallenges: FinalBlobBatchingChallenges): BatchedBlobAccumulator;
+    /**
+     * Given blob i, accumulate all state.
+     * We assume the input blob has not been evaluated at z.
+     * @returns An updated blob accumulator.
+     */
+    private accumulate;
+    /**
+     * Given blobs, accumulate all state.
+     * We assume the input blobs have not been evaluated at z.
+     * @param blobs - The blobs to accumulate. They should be in the same L1 block.
+     * @returns An updated blob accumulator.
+     */
+    accumulateBlobs(blobs: Blob[]): Promise<BatchedBlobAccumulator>;
+    /**
+     * Finalize accumulation state of the epoch.
+     * We assume ALL blobs in the epoch have been accumulated.
+     *
+     * Final accumulated values:
+     * - v := v_acc (hash of all commitments (C_i s) to be checked on L1)
+     * - z := z_acc (final challenge, at which all blobs are evaluated)
+     * - y := y_acc (final opening to be checked on L1)
+     * - c := c_acc (final commitment to be checked on L1)
+     * - gamma := poseidon2(gamma_acc, z) (challenge for linear combination of y and C, above)
+     *
+     * @param verifyProof - Whether to verify the KZG proof.
+     * @returns A batched blob.
+     */
+    finalize(verifyProof?: boolean): Promise<BatchedBlob>;
+    isEmptyState(): boolean;
+    clone(): BatchedBlobAccumulator;
+    toBlobAccumulator(): BlobAccumulator;
+    toFinalBlobAccumulator(): FinalBlobAccumulator;
+}
+//# sourceMappingURL=blob_batching.d.ts.map

package/dest/blob_batching.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"blob_batching.d.ts","sourceRoot":"","sources":["../src/blob_batching.ts"],"names":[],"mappings":"AAEA,OAAO,EAAE,OAAO,EAAE,UAAU,EAAE,EAAE,EAAE,MAAM,0BAA0B,CAAC;AAEnE,OAAO,EAAE,IAAI,EAAE,MAAM,WAAW,CAAC;AAEjC,OAAO,EAAE,eAAe,EAAE,oBAAoB,EAAE,2BAA2B,EAAE,MAAM,0BAA0B,CAAC;AAI9G;;GAEG;AACH,qBAAa,WAAW;IAEpB,8CAA8C;aAC9B,mBAAmB,EAAE,EAAE;IACvC,gDAAgD;aAChC,CAAC,EAAE,EAAE;IACrB,mFAAmF;aACnE,CAAC,EAAE,OAAO;IAC1B,kFAAkF;aAClE,UAAU,EAAE,UAAU;IACtC,4HAA4H;aAC5G,CAAC,EAAE,UAAU;;IAT7B,8CAA8C;IAC9B,mBAAmB,EAAE,EAAE;IACvC,gDAAgD;IAChC,CAAC,EAAE,EAAE;IACrB,mFAAmF;IACnE,CAAC,EAAE,OAAO;IAC1B,kFAAkF;IAClE,UAAU,EAAE,UAAU;IACtC,4HAA4H;IAC5G,CAAC,EAAE,UAAU;IAG/B;;;;;;OAMG;WACU,KAAK,CAAC,KAAK,EAAE,IAAI,EAAE,EAAE,GAAG,OAAO,CAAC,WAAW,CAAC;IAgBzD;;;;OAIG;WACU,cAAc,CAAC,KAAK,EAAE,IAAI,EAAE,EAAE,GAAG,OAAO,CAAC,sBAAsB,CAAC;IAK7E;;;;;;;;;;;OAWG;WACU,+BAA+B,CAAC,KAAK,EAAE,IAAI,EAAE,EAAE,GAAG,OAAO,CAAC,2BAA2B,CAAC;IAmCnG,MAAM;IAKN,uBAAuB,IAAI,MAAM;IAIjC;;;;;;;;;;OAUG;IACH,0BAA0B,IAAI,KAAK,MAAM,EAAE;IAW3C,sBAAsB;CAGvB;AAED;;GAEG;AACH,qBAAa,sBAAsB;IAE/B,8CAA8C;aAC9B,sBAAsB,EAAE,EAAE;IAC1C,sEAAsE;aACtD,IAAI,EAAE,EAAE;IACxB,yGAAyG;aACzF,IAAI,EAAE,OAAO;IAC7B,qGAAqG;aACrF,IAAI,EAAE,UAAU;IAChC,oGAAoG;aACpF,IAAI,EAAE,UAAU;IAChC;;;;OAIG;aACa,QAAQ,EAAE,EAAE;IAC5B,uGAAuG;aACvF,QAAQ,EAAE,OAAO;IACjC,oGAAoG;aACpF,mBAAmB,EAAE,2BAA2B;;IAnBhE,8CAA8C;IAC9B,sBAAsB,EAAE,EAAE;IAC1C,sEAAsE;IACtD,IAAI,EAAE,EAAE;IACxB,yGAAyG;IACzF,IAAI,EAAE,OAAO;IAC7B,qGAAqG;IACrF,IAAI,EAAE,UAAU;IAChC,oGAAoG;IACpF,IAAI,EAAE,UAAU;IAChC;;;;OAIG;IACa,QAAQ,EAAE,EAAE;IAC5B,uGAAuG;IACvF,QAAQ,EAAE,OAAO;IACjC,oGAAoG;IACpF,mBAAmB,EAAE,2BAA2B;IAGlE;;;OAGG;IACH,MAAM,CAAC,iBAAiB,CAAC,mBAAmB,EAAE,2BAA2B,GAAG,sBAAsB;IAalG;;;;OAIG;YACW,UAAU;IAyCxB;;;;;OAKG;IACG,eAAe,CAAC,KAAK,EAAE,IAAI,EAAE;IAkBnC;;;;;;;;;;;;;OAaG;IACG,QAAQ,CAAC,WAAW,UAAQ,GAAG,OAAO,CAAC,WAAW,CAAC;IAwBzD,YAAY;IAYZ,KAAK;IAaL,iBAAiB;IAWjB,sBAAsB;CAGvB"}

package/dest/blob_batching.js

@@ -0,0 +1,260 @@
+import { AZTEC_MAX_EPOCH_DURATION, BLOBS_PER_BLOCK } from '@aztec/constants';
+import { poseidon2Hash, sha256ToField } from '@aztec/foundation/crypto';
+import { BLS12Fr, BLS12Point, Fr } from '@aztec/foundation/fields';
+import { computeBlobFieldsHashFromBlobs } from './blob_utils.js';
+import { BlobAccumulator, FinalBlobAccumulator, FinalBlobBatchingChallenges } from './circuit_types/index.js';
+import { computeEthVersionedBlobHash, hashNoirBigNumLimbs } from './hash.js';
+import { kzg } from './kzg_context.js';
+/**
+ * A class to create, manage, and prove batched EVM blobs.
+ */ export class BatchedBlob {
+    blobCommitmentsHash;
+    z;
+    y;
+    commitment;
+    q;
+    constructor(/** Hash of Cs (to link to L1 blob hashes). */ blobCommitmentsHash, /** Challenge point z such that p_i(z) = y_i. */ z, /** Evaluation y, linear combination of all evaluations y_i = p_i(z) with gamma. */ y, /** Commitment C, linear combination of all commitments C_i = [p_i] with gamma. */ commitment, /** KZG opening 'proof' Q (commitment to the quotient poly.), linear combination of all blob kzg 'proofs' Q_i with gamma. */ q){
+        this.blobCommitmentsHash = blobCommitmentsHash;
+        this.z = z;
+        this.y = y;
+        this.commitment = commitment;
+        this.q = q;
+    }
+    /**
+   * Get the final batched opening proof from multiple blobs.
+   * @dev MUST input all blobs to be broadcast. Does not work in multiple calls because z and gamma are calculated
+   *      beforehand from ALL blobs.
+   *
+   * @returns A batched blob.
+   */ static async batch(blobs) {
+        if (blobs.length > AZTEC_MAX_EPOCH_DURATION) {
+            throw new Error(`Too many blocks sent to batch(). The maximum is ${AZTEC_MAX_EPOCH_DURATION}. Got ${blobs.length}.`);
+        }
+        // Precalculate the values (z and gamma) and initialize the accumulator:
+        let acc = await this.newAccumulator(blobs);
+        // Now we can create a multi opening proof of all input blobs:
+        for (const blockBlobs of blobs){
+            acc = await acc.accumulateBlobs(blockBlobs);
+        }
+        return await acc.finalize();
+    }
+    /**
+   * Returns an empty BatchedBlobAccumulator with precomputed challenges from all blobs in the epoch.
+   * @dev MUST input all blobs to be broadcast. Does not work in multiple calls because z and gamma are calculated
+   *      beforehand from ALL blobs.
+   */ static async newAccumulator(blobs) {
+        const finalBlobChallenges = await this.precomputeBatchedBlobChallenges(blobs);
+        return BatchedBlobAccumulator.newWithChallenges(finalBlobChallenges);
+    }
+    /**
+   * Gets the final challenges based on all blobs and their elements to perform a multi opening proof.
+   * Used in BatchedBlobAccumulator as 'finalZ' and finalGamma':
+   *  - z = H(...H(H(z_0, z_1) z_2)..z_n)
+   *    - where z_i = H(H(fields of blob_i), C_i) = Blob.challengeZ,
+   *    - used such that p_i(z) = y_i = Blob.evaluationY for all n blob polynomials p_i().
+   *  - gamma = H(H(...H(H(y_0, y_1) y_2)..y_n), z)
+   *    - used such that y = sum_i { gamma^i * y_i }, and C = sum_i { gamma^i * C_i }, for all blob evaluations y_i (see above) and commitments C_i.
+   *
+   * @param blobs - The blobs to precompute the challenges for. Each sub-array is the blobs for an L1 block.
+   * @returns Challenges z and gamma.
+   */ static async precomputeBatchedBlobChallenges(blobs) {
+        // Compute the final challenge z to evaluate the blobs.
+        let z;
+        for (const blockBlobs of blobs){
+            // Compute the hash of all the fields in the block.
+            const blobFieldsHash = await computeBlobFieldsHashFromBlobs(blockBlobs);
+            for (const blob of blockBlobs){
+                // Compute the challenge z for each blob and accumulate it.
+                const challengeZ = await blob.computeChallengeZ(blobFieldsHash);
+                if (!z) {
+                    z = challengeZ;
+                } else {
+                    z = await poseidon2Hash([
+                        z,
+                        challengeZ
+                    ]);
+                }
+            }
+        }
+        if (!z) {
+            throw new Error('No blobs to precompute challenges for.');
+        }
+        // Now we have a shared challenge for all blobs, evaluate them...
+        const allBlobs = blobs.flat();
+        const proofObjects = allBlobs.map((b)=>b.evaluate(z));
+        const evaluations = await Promise.all(proofObjects.map(({ y })=>hashNoirBigNumLimbs(y)));
+        // ...and find the challenge for the linear combination of blobs.
+        let gamma = evaluations[0];
+        // We start at i = 1, because gamma is initialized as the first blob's evaluation.
+        for(let i = 1; i < allBlobs.length; i++){
+            gamma = await poseidon2Hash([
+                gamma,
+                evaluations[i]
+            ]);
+        }
+        gamma = await poseidon2Hash([
+            gamma,
+            z
+        ]);
+        return new FinalBlobBatchingChallenges(z, BLS12Fr.fromBN254Fr(gamma));
+    }
+    verify() {
+        return kzg.verifyKzgProof(this.commitment.compress(), this.z.toBuffer(), this.y.toBuffer(), this.q.compress());
+    }
+    // Returns ethereum's versioned blob hash, following kzg_to_versioned_hash: https://eips.ethereum.org/EIPS/eip-4844#helpers
+    getEthVersionedBlobHash() {
+        return computeEthVersionedBlobHash(this.commitment.compress());
+    }
+    /**
+   * Returns a proof of opening of the blobs to verify on L1 using the point evaluation precompile:
+   *
+   * input[:32]     - versioned_hash
+   * input[32:64]   - z
+   * input[64:96]   - y
+   * input[96:144]  - commitment C
+   * input[144:192] - commitment Q (a 'proof' committing to the quotient polynomial q(X))
+   *
+   * See https://eips.ethereum.org/EIPS/eip-4844#point-evaluation-precompile
+   */ getEthBlobEvaluationInputs() {
+        const buf = Buffer.concat([
+            this.getEthVersionedBlobHash(),
+            this.z.toBuffer(),
+            this.y.toBuffer(),
+            this.commitment.compress(),
+            this.q.compress()
+        ]);
+        return `0x${buf.toString('hex')}`;
+    }
+    toFinalBlobAccumulator() {
+        return new FinalBlobAccumulator(this.blobCommitmentsHash, this.z, this.y, this.commitment);
+    }
+}
+/**
+ * See noir-projects/noir-protocol-circuits/crates/blob/src/abis/blob_accumulator.nr
+ */ export class BatchedBlobAccumulator {
+    blobCommitmentsHashAcc;
+    zAcc;
+    yAcc;
+    cAcc;
+    qAcc;
+    gammaAcc;
+    gammaPow;
+    finalBlobChallenges;
+    constructor(/** Hash of Cs (to link to L1 blob hashes). */ blobCommitmentsHashAcc, /** Challenge point z_acc. Final value used such that p_i(z) = y_i. */ zAcc, /** Evaluation y_acc. Final value is is linear combination of all evaluations y_i = p_i(z) with gamma. */ yAcc, /** Commitment c_acc. Final value is linear combination of all commitments C_i = [p_i] with gamma. */ cAcc, /** KZG opening q_acc. Final value is linear combination of all blob kzg 'proofs' Q_i with gamma. */ qAcc, /**
+     * Challenge point gamma_acc for multi opening. Used with y, C, and kzg 'proof' Q above.
+     * TODO(#13608): We calculate this by hashing natively in the circuit (hence Fr representation), but it's actually used
+     * as a BLS12Fr field elt. Is this safe? Is there a skew?
+     */ gammaAcc, /** Simply gamma^(i + 1) at blob i. Used for calculating the i'th element of the above linear comb.s */ gammaPow, /** Final challenge values used in evaluation. Optimistically input and checked in the final acc. */ finalBlobChallenges){
+        this.blobCommitmentsHashAcc = blobCommitmentsHashAcc;
+        this.zAcc = zAcc;
+        this.yAcc = yAcc;
+        this.cAcc = cAcc;
+        this.qAcc = qAcc;
+        this.gammaAcc = gammaAcc;
+        this.gammaPow = gammaPow;
+        this.finalBlobChallenges = finalBlobChallenges;
+    }
+    /**
+   * Create the empty accumulation state of the epoch.
+   * @returns An empty blob accumulator with challenges.
+   */ static newWithChallenges(finalBlobChallenges) {
+        return new BatchedBlobAccumulator(Fr.ZERO, Fr.ZERO, BLS12Fr.ZERO, BLS12Point.ZERO, BLS12Point.ZERO, Fr.ZERO, BLS12Fr.ZERO, finalBlobChallenges);
+    }
+    /**
+   * Given blob i, accumulate all state.
+   * We assume the input blob has not been evaluated at z.
+   * @returns An updated blob accumulator.
+   */ async accumulate(blob, blobFieldsHash) {
+        const { proof, y: thisY } = blob.evaluate(this.finalBlobChallenges.z);
+        const thisC = BLS12Point.decompress(blob.commitment);
+        const thisQ = BLS12Point.decompress(proof);
+        const blobChallengeZ = await blob.computeChallengeZ(blobFieldsHash);
+        if (this.isEmptyState()) {
+            /**
+       * Init the first accumulation state of the epoch.
+       * - v_acc := sha256(C_0)
+       * - z_acc := z_0
+       * - y_acc := gamma^0 * y_0 = y_0
+       * - c_acc := gamma^0 * c_0 = c_0
+       * - gamma_acc := poseidon2(y_0.limbs)
+       * - gamma^(i + 1) = gamma^1 = gamma // denoted gamma_pow_acc
+       */ return new BatchedBlobAccumulator(sha256ToField([
+                blob.commitment
+            ]), blobChallengeZ, thisY, thisC, thisQ, await hashNoirBigNumLimbs(thisY), this.finalBlobChallenges.gamma, this.finalBlobChallenges);
+        } else {
+            // Moving from i - 1 to i, so:
+            return new BatchedBlobAccumulator(sha256ToField([
+                this.blobCommitmentsHashAcc,
+                blob.commitment
+            ]), await poseidon2Hash([
+                this.zAcc,
+                blobChallengeZ
+            ]), this.yAcc.add(thisY.mul(this.gammaPow)), this.cAcc.add(thisC.mul(this.gammaPow)), this.qAcc.add(thisQ.mul(this.gammaPow)), await poseidon2Hash([
+                this.gammaAcc,
+                await hashNoirBigNumLimbs(thisY)
+            ]), this.gammaPow.mul(this.finalBlobChallenges.gamma), this.finalBlobChallenges);
+        }
+    }
+    /**
+   * Given blobs, accumulate all state.
+   * We assume the input blobs have not been evaluated at z.
+   * @param blobs - The blobs to accumulate. They should be in the same L1 block.
+   * @returns An updated blob accumulator.
+   */ async accumulateBlobs(blobs) {
+        if (blobs.length > BLOBS_PER_BLOCK) {
+            throw new Error(`Too many blobs to accumulate. The maximum is ${BLOBS_PER_BLOCK} per block. Got ${blobs.length}.`);
+        }
+        // Compute the hash of all the fields in the block.
+        const blobFieldsHash = await computeBlobFieldsHashFromBlobs(blobs);
+        // Initialize the acc to iterate over:
+        let acc = this.clone();
+        for (const blob of blobs){
+            acc = await acc.accumulate(blob, blobFieldsHash);
+        }
+        return acc;
+    }
+    /**
+   * Finalize accumulation state of the epoch.
+   * We assume ALL blobs in the epoch have been accumulated.
+   *
+   * Final accumulated values:
+   * - v := v_acc (hash of all commitments (C_i s) to be checked on L1)
+   * - z := z_acc (final challenge, at which all blobs are evaluated)
+   * - y := y_acc (final opening to be checked on L1)
+   * - c := c_acc (final commitment to be checked on L1)
+   * - gamma := poseidon2(gamma_acc, z) (challenge for linear combination of y and C, above)
+   *
+   * @param verifyProof - Whether to verify the KZG proof.
+   * @returns A batched blob.
+   */ async finalize(verifyProof = false) {
+        // All values in acc are final, apart from gamma := poseidon2(gammaAcc, z):
+        const calculatedGamma = await poseidon2Hash([
+            this.gammaAcc,
+            this.zAcc
+        ]);
+        // Check final values:
+        if (!this.zAcc.equals(this.finalBlobChallenges.z)) {
+            throw new Error(`Blob batching mismatch: accumulated z ${this.zAcc} does not equal injected z ${this.finalBlobChallenges.z}`);
+        }
+        if (!calculatedGamma.equals(this.finalBlobChallenges.gamma.toBN254Fr())) {
+            throw new Error(`Blob batching mismatch: accumulated gamma ${calculatedGamma} does not equal injected gamma ${this.finalBlobChallenges.gamma.toBN254Fr()}`);
+        }
+        const batchedBlob = new BatchedBlob(this.blobCommitmentsHashAcc, this.zAcc, this.yAcc, this.cAcc, this.qAcc);
+        if (verifyProof && !batchedBlob.verify()) {
+            throw new Error(`KZG proof did not verify.`);
+        }
+        return batchedBlob;
+    }
+    isEmptyState() {
+        return this.blobCommitmentsHashAcc.isZero() && this.zAcc.isZero() && this.yAcc.isZero() && this.cAcc.isZero() && this.qAcc.isZero() && this.gammaAcc.isZero() && this.gammaPow.isZero();
+    }
+    clone() {
+        return new BatchedBlobAccumulator(Fr.fromBuffer(this.blobCommitmentsHashAcc.toBuffer()), Fr.fromBuffer(this.zAcc.toBuffer()), BLS12Fr.fromBuffer(this.yAcc.toBuffer()), BLS12Point.fromBuffer(this.cAcc.toBuffer()), BLS12Point.fromBuffer(this.qAcc.toBuffer()), Fr.fromBuffer(this.gammaAcc.toBuffer()), BLS12Fr.fromBuffer(this.gammaPow.toBuffer()), FinalBlobBatchingChallenges.fromBuffer(this.finalBlobChallenges.toBuffer()));
+    }
+    toBlobAccumulator() {
+        return new BlobAccumulator(this.blobCommitmentsHashAcc, this.zAcc, this.yAcc, this.cAcc, this.gammaAcc, this.gammaPow);
+    }
+    toFinalBlobAccumulator() {
+        return new FinalBlobAccumulator(this.blobCommitmentsHashAcc, this.zAcc, this.yAcc, this.cAcc);
+    }
+}

package/dest/blob_utils.d.ts

@@ -0,0 +1,30 @@
+import { BLS12Point, Fr } from '@aztec/foundation/fields';
+import { Blob } from './blob.js';
+/**
+ * @param blobs - The blobs to emit.
+ * @returns The blobs' compressed commitments in hex prefixed by the number of blobs. 1 byte for the prefix, 48 bytes
+ * per blob commitment.
+ * @dev Used for proposing blocks to validate injected blob commitments match real broadcast blobs.
+ */
+export declare function getPrefixedEthBlobCommitments(blobs: Blob[]): `0x${string}`;
+/**
+ * @param fields - Fields to broadcast in the blob(s)
+ * @returns As many blobs as required to broadcast the given fields to an L1 block.
+ *
+ * @throws If the number of fields does not match what's indicated by the checkpoint prefix.
+ */
+export declare function getBlobsPerL1Block(fields: Fr[]): Blob[];
+/**
+ * Get the fields from all blobs in the checkpoint. Ignoring the fields beyond the length specified by the
+ * checkpoint prefix (the first field).
+ *
+ * @param blobs - The blobs to read fields from. Should be all the blobs in the L1 block proposing the checkpoint.
+ * @param checkEncoding - Whether to check if the entire encoded blob fields are valid. If false, it will still check
+ * the checkpoint prefix and throw if there's not enough fields.
+ * @returns The fields added throughout the checkpoint.
+ */
+export declare function getBlobFieldsInCheckpoint(blobs: Blob[], checkEncoding?: boolean): Fr[];
+export declare function computeBlobFieldsHashFromBlobs(blobs: Blob[]): Promise<Fr>;
+export declare function computeBlobsHashFromBlobs(blobs: Blob[]): Fr;
+export declare function getBlobCommitmentsFromBlobs(blobs: Blob[]): BLS12Point[];
+//# sourceMappingURL=blob_utils.d.ts.map

package/dest/blob_utils.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"blob_utils.d.ts","sourceRoot":"","sources":["../src/blob_utils.ts"],"names":[],"mappings":"AACA,OAAO,EAAE,UAAU,EAAE,EAAE,EAAE,MAAM,0BAA0B,CAAC;AAE1D,OAAO,EAAE,IAAI,EAAE,MAAM,WAAW,CAAC;AAIjC;;;;;GAKG;AACH,wBAAgB,6BAA6B,CAAC,KAAK,EAAE,IAAI,EAAE,GAAG,KAAK,MAAM,EAAE,CAS1E;AAED;;;;;GAKG;AACH,wBAAgB,kBAAkB,CAAC,MAAM,EAAE,EAAE,EAAE,GAAG,IAAI,EAAE,CASvD;AAED;;;;;;;;GAQG;AACH,wBAAgB,yBAAyB,CAAC,KAAK,EAAE,IAAI,EAAE,EAAE,aAAa,UAAQ,GAAG,EAAE,EAAE,CAEpF;AAED,wBAAsB,8BAA8B,CAAC,KAAK,EAAE,IAAI,EAAE,GAAG,OAAO,CAAC,EAAE,CAAC,CAQ/E;AAED,wBAAgB,yBAAyB,CAAC,KAAK,EAAE,IAAI,EAAE,GAAG,EAAE,CAE3D;AAED,wBAAgB,2BAA2B,CAAC,KAAK,EAAE,IAAI,EAAE,GAAG,UAAU,EAAE,CAEvE"}

package/dest/blob_utils.js

@@ -0,0 +1,60 @@
+import { FIELDS_PER_BLOB } from '@aztec/constants';
+import { BLS12Point } from '@aztec/foundation/fields';
+import { Blob } from './blob.js';
+import { deserializeEncodedBlobToFields } from './deserialize.js';
+import { computeBlobFieldsHash, computeBlobsHash } from './hash.js';
+/**
+ * @param blobs - The blobs to emit.
+ * @returns The blobs' compressed commitments in hex prefixed by the number of blobs. 1 byte for the prefix, 48 bytes
+ * per blob commitment.
+ * @dev Used for proposing blocks to validate injected blob commitments match real broadcast blobs.
+ */ export function getPrefixedEthBlobCommitments(blobs) {
+    // Prefix the number of blobs.
+    const lenBuf = Buffer.alloc(1);
+    lenBuf.writeUint8(blobs.length);
+    const blobBuf = Buffer.concat(blobs.map((blob)=>blob.commitment));
+    const buf = Buffer.concat([
+        lenBuf,
+        blobBuf
+    ]);
+    return `0x${buf.toString('hex')}`;
+}
+/**
+ * @param fields - Fields to broadcast in the blob(s)
+ * @returns As many blobs as required to broadcast the given fields to an L1 block.
+ *
+ * @throws If the number of fields does not match what's indicated by the checkpoint prefix.
+ */ export function getBlobsPerL1Block(fields) {
+    if (!fields.length) {
+        throw new Error('Cannot create blobs from empty fields.');
+    }
+    const numBlobs = Math.ceil(fields.length / FIELDS_PER_BLOB);
+    return Array.from({
+        length: numBlobs
+    }, (_, i)=>Blob.fromFields(fields.slice(i * FIELDS_PER_BLOB, (i + 1) * FIELDS_PER_BLOB)));
+}
+/**
+ * Get the fields from all blobs in the checkpoint. Ignoring the fields beyond the length specified by the
+ * checkpoint prefix (the first field).
+ *
+ * @param blobs - The blobs to read fields from. Should be all the blobs in the L1 block proposing the checkpoint.
+ * @param checkEncoding - Whether to check if the entire encoded blob fields are valid. If false, it will still check
+ * the checkpoint prefix and throw if there's not enough fields.
+ * @returns The fields added throughout the checkpoint.
+ */ export function getBlobFieldsInCheckpoint(blobs, checkEncoding = false) {
+    return deserializeEncodedBlobToFields(Buffer.concat(blobs.map((b)=>b.data)), checkEncoding);
+}
+export async function computeBlobFieldsHashFromBlobs(blobs) {
+    const fields = blobs.map((b)=>b.toFields()).flat();
+    const numBlobFields = fields[0].toNumber();
+    if (numBlobFields > fields.length) {
+        throw new Error(`The prefix indicates ${numBlobFields} fields. Got ${fields.length}.`);
+    }
+    return await computeBlobFieldsHash(fields.slice(0, numBlobFields));
+}
+export function computeBlobsHashFromBlobs(blobs) {
+    return computeBlobsHash(blobs.map((b)=>b.getEthVersionedBlobHash()));
+}
+export function getBlobCommitmentsFromBlobs(blobs) {
+    return blobs.map((b)=>BLS12Point.decompress(b.commitment));
+}

package/dest/circuit_types/blob_accumulator.d.ts

@@ -0,0 +1,21 @@
+import { BLS12Fr, BLS12Point, Fr } from '@aztec/foundation/fields';
+import { BufferReader, FieldReader } from '@aztec/foundation/serialize';
+/**
+ * See `noir-projects/noir-protocol-circuits/crates/blob/src/abis/blob_accumulator.nr` for documentation.
+ */
+export declare class BlobAccumulator {
+    blobCommitmentsHashAcc: Fr;
+    zAcc: Fr;
+    yAcc: BLS12Fr;
+    cAcc: BLS12Point;
+    gammaAcc: Fr;
+    gammaPowAcc: BLS12Fr;
+    constructor(blobCommitmentsHashAcc: Fr, zAcc: Fr, yAcc: BLS12Fr, cAcc: BLS12Point, gammaAcc: Fr, gammaPowAcc: BLS12Fr);
+    static empty(): BlobAccumulator;
+    equals(other: BlobAccumulator): boolean;
+    static fromBuffer(buffer: Buffer | BufferReader): BlobAccumulator;
+    toBuffer(): Buffer<ArrayBufferLike>;
+    toFields(): Fr[];
+    static fromFields(fields: Fr[] | FieldReader): BlobAccumulator;
+}
+//# sourceMappingURL=blob_accumulator.d.ts.map

package/dest/circuit_types/blob_accumulator.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"blob_accumulator.d.ts","sourceRoot":"","sources":["../../src/circuit_types/blob_accumulator.ts"],"names":[],"mappings":"AACA,OAAO,EAAW,OAAO,EAAE,UAAU,EAAE,EAAE,EAAE,MAAM,0BAA0B,CAAC;AAC5E,OAAO,EAAE,YAAY,EAAE,WAAW,EAAqB,MAAM,6BAA6B,CAAC;AAE3F;;GAEG;AACH,qBAAa,eAAe;IAEjB,sBAAsB,EAAE,EAAE;IAC1B,IAAI,EAAE,EAAE;IACR,IAAI,EAAE,OAAO;IACb,IAAI,EAAE,UAAU;IAChB,QAAQ,EAAE,EAAE;IACZ,WAAW,EAAE,OAAO;gBALpB,sBAAsB,EAAE,EAAE,EAC1B,IAAI,EAAE,EAAE,EACR,IAAI,EAAE,OAAO,EACb,IAAI,EAAE,UAAU,EAChB,QAAQ,EAAE,EAAE,EACZ,WAAW,EAAE,OAAO;IAG7B,MAAM,CAAC,KAAK,IAAI,eAAe;IAI/B,MAAM,CAAC,KAAK,EAAE,eAAe;IAW7B,MAAM,CAAC,UAAU,CAAC,MAAM,EAAE,MAAM,GAAG,YAAY,GAAG,eAAe;IAYjE,QAAQ;IAWR,QAAQ;IAaR,MAAM,CAAC,UAAU,CAAC,MAAM,EAAE,EAAE,EAAE,GAAG,WAAW,GAAG,eAAe;CAe/D"}

package/dest/circuit_types/blob_accumulator.js

@@ -0,0 +1,58 @@
+import { BLS12_FQ_LIMBS, BLS12_FR_LIMBS } from '@aztec/constants';
+import { BLS12Fq, BLS12Fr, BLS12Point, Fr } from '@aztec/foundation/fields';
+import { BufferReader, FieldReader, serializeToBuffer } from '@aztec/foundation/serialize';
+/**
+ * See `noir-projects/noir-protocol-circuits/crates/blob/src/abis/blob_accumulator.nr` for documentation.
+ */ export class BlobAccumulator {
+    blobCommitmentsHashAcc;
+    zAcc;
+    yAcc;
+    cAcc;
+    gammaAcc;
+    gammaPowAcc;
+    constructor(blobCommitmentsHashAcc, zAcc, yAcc, cAcc, gammaAcc, gammaPowAcc){
+        this.blobCommitmentsHashAcc = blobCommitmentsHashAcc;
+        this.zAcc = zAcc;
+        this.yAcc = yAcc;
+        this.cAcc = cAcc;
+        this.gammaAcc = gammaAcc;
+        this.gammaPowAcc = gammaPowAcc;
+    }
+    static empty() {
+        return new BlobAccumulator(Fr.ZERO, Fr.ZERO, BLS12Fr.ZERO, BLS12Point.ZERO, Fr.ZERO, BLS12Fr.ZERO);
+    }
+    equals(other) {
+        return this.blobCommitmentsHashAcc.equals(other.blobCommitmentsHashAcc) && this.zAcc.equals(other.zAcc) && this.yAcc.equals(other.yAcc) && this.cAcc.equals(other.cAcc) && this.gammaAcc.equals(other.gammaAcc) && this.gammaPowAcc.equals(other.gammaPowAcc);
+    }
+    static fromBuffer(buffer) {
+        const reader = BufferReader.asReader(buffer);
+        return new BlobAccumulator(Fr.fromBuffer(reader), Fr.fromBuffer(reader), BLS12Fr.fromBuffer(reader), BLS12Point.fromBuffer(reader), Fr.fromBuffer(reader), BLS12Fr.fromBuffer(reader));
+    }
+    toBuffer() {
+        return serializeToBuffer(this.blobCommitmentsHashAcc, this.zAcc, this.yAcc, this.cAcc, this.gammaAcc, this.gammaPowAcc);
+    }
+    toFields() {
+        return [
+            this.blobCommitmentsHashAcc,
+            this.zAcc,
+            ...this.yAcc.toNoirBigNum().limbs.map(Fr.fromString),
+            ...this.cAcc.x.toNoirBigNum().limbs.map(Fr.fromString),
+            ...this.cAcc.y.toNoirBigNum().limbs.map(Fr.fromString),
+            new Fr(this.cAcc.isInfinite),
+            this.gammaAcc,
+            ...this.gammaPowAcc.toNoirBigNum().limbs.map(Fr.fromString)
+        ];
+    }
+    static fromFields(fields) {
+        const reader = FieldReader.asReader(fields);
+        return new BlobAccumulator(reader.readField(), reader.readField(), BLS12Fr.fromNoirBigNum({
+            limbs: reader.readFieldArray(BLS12_FR_LIMBS).map((f)=>f.toString())
+        }), new BLS12Point(BLS12Fq.fromNoirBigNum({
+            limbs: reader.readFieldArray(BLS12_FQ_LIMBS).map((f)=>f.toString())
+        }), BLS12Fq.fromNoirBigNum({
+            limbs: reader.readFieldArray(BLS12_FQ_LIMBS).map((f)=>f.toString())
+        }), reader.readBoolean()), reader.readField(), BLS12Fr.fromNoirBigNum({
+            limbs: reader.readFieldArray(BLS12_FR_LIMBS).map((f)=>f.toString())
+        }));
+    }
+}

package/dest/circuit_types/final_blob_accumulator.d.ts

@@ -0,0 +1,22 @@
+import { BLS12Fr, BLS12Point, Fr } from '@aztec/foundation/fields';
+import { BufferReader } from '@aztec/foundation/serialize';
+import { inspect } from 'util';
+/**
+ * See `noir-projects/noir-protocol-circuits/crates/blob/src/abis/final_blob_accumulator.nr` for documentation.
+ */
+export declare class FinalBlobAccumulator {
+    blobCommitmentsHash: Fr;
+    z: Fr;
+    y: BLS12Fr;
+    c: BLS12Point;
+    constructor(blobCommitmentsHash: Fr, z: Fr, y: BLS12Fr, c: BLS12Point);
+    static empty(): FinalBlobAccumulator;
+    static fromBuffer(buffer: Buffer | BufferReader): FinalBlobAccumulator;
+    toBuffer(): Buffer<ArrayBufferLike>;
+    toFields(): Fr[];
+    toString(): string;
+    equals(other: FinalBlobAccumulator): boolean;
+    static random(): FinalBlobAccumulator;
+    [inspect.custom](): string;
+}
+//# sourceMappingURL=final_blob_accumulator.d.ts.map

package/dest/circuit_types/final_blob_accumulator.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"final_blob_accumulator.d.ts","sourceRoot":"","sources":["../../src/circuit_types/final_blob_accumulator.ts"],"names":[],"mappings":"AAAA,OAAO,EAAE,OAAO,EAAE,UAAU,EAAE,EAAE,EAAE,MAAM,0BAA0B,CAAC;AACnE,OAAO,EAAE,YAAY,EAAqB,MAAM,6BAA6B,CAAC;AAE9E,OAAO,EAAE,OAAO,EAAE,MAAM,MAAM,CAAC;AAE/B;;GAEG;AACH,qBAAa,oBAAoB;IAEtB,mBAAmB,EAAE,EAAE;IACvB,CAAC,EAAE,EAAE;IACL,CAAC,EAAE,OAAO;IACV,CAAC,EAAE,UAAU;gBAHb,mBAAmB,EAAE,EAAE,EACvB,CAAC,EAAE,EAAE,EACL,CAAC,EAAE,OAAO,EACV,CAAC,EAAE,UAAU;IAGtB,MAAM,CAAC,KAAK,IAAI,oBAAoB;IAIpC,MAAM,CAAC,UAAU,CAAC,MAAM,EAAE,MAAM,GAAG,YAAY,GAAG,oBAAoB;IAUtE,QAAQ;IAIR,QAAQ;IAUR,QAAQ;IAQR,MAAM,CAAC,KAAK,EAAE,oBAAoB;IAUlC,MAAM,CAAC,MAAM;IAIb,CAAC,OAAO,CAAC,MAAM,CAAC;CAQjB"}